I'm having some trouble with my JBoss 3.0.3/Tomcat 4.1.12 bundle regarding basic authentication. The web app has two pages, one that's protected by a security constraint and one that's not. When I point the browser to the protected page, the browser makes me login, which is what I want, and HttpServletRequest.getRemoteUser() returns the right user ID. But if I return to the unprotected page, in the same session, getRemoteUser() returns null! Both requests occur in the same servlet context (I checked) and the same HTTP session (I checked). Can anybody think of what might be going on?

I guess us app developers have to secure every page in that case. Ok, so how do I give a user browsing a page for the first time a default role of "guest", without them having to log in - that'll solve it! Any takers? :-)

I love JBoss, but I doubt that being able to access the remote user info under non-protected resources wouldn't also be legitimate - plus a whole lot more useful.

Anyways...for now I'll use a filter mapped to jsps that gets the Auth info from the session and chucks it in a subclassed HttpServletRequestWrapper to suit the isUserInRole etc needs. People having success this way?